Atomicorp

I do not know the /path/to/dangerous/application. The only information about this is contained above.

Parallels will not assist with changes to ASL config. It is not their job.

I have already re-opened the Parallels Support Ticket ticket after disabling TPE. This is the "next step" and, as you can see, Parallels have recommended "load usual stock kernel instead of art's kernel." I would have to ask them /path/to/dangerous/application and then let them try again. What will the next thing be that I must disable? I do not want to lose their assistance at this stage. I cannot keep making minor changes and then send them off to try again, make another minor change, etc, etc.

Where are the "many other ASL users who also use Dr. Web?" They are not a part of this topic. Please read the topic subject ((SOLVED) = it is not! btw) I am a server administrator with basic server administration skills. I am not a server security expert. I want affective server security and effective server antivirus. I do NOT want server security that is so effective that it disallows other important programs (like antivirus) to run. There will be many people out there who want the same thing - who are not server security experts. If they were to stumble upon this post, it may assist in their "layman's" assessment regarding your product purchase or their desicion to use the ASL kernel.

I have invested 2 months of my time and money to arrive at the point where we are now. I will not be paying US$225.00, as you have quoted, to solve this problem. I will not be spending any more time and I will be selecting the quickest solution from this point.

The quickest solution seems to be "load standard kernel" and I wonder how complicated this is and can I manage this myself?

Because the other alternative is to ask you if you know the /path/to/dangerous/application OR ask Parallels for the /path/to/dangerous/application then run the command and wait to see what the next kernel-related issue is. I do not want to lose Parallels support in this process when they say the issue is clearly "grsec"

i would try
chpax -m /etc/sw/keys/restart/plesk-key-handler
or
chpax -m /usr/bin/sw-engine-cgi
or under opt/drweb the drwebd or drwebdc file. (check with rpm -ql drweb-daemon-5.0.1-0plesk)
step by step.

if it's not working you can go back with:
chpax -M /path/to/dangerous/application (watch the capital letter!)

Thank you for your effort & time, Bruce.

But this has gone on too long and cost me too much time, money & headache.
I'm afraid I am worn out and I simply cannot go around in circles any longer.

I would like someone to tell me, in easy to follow steps, how I return to my previous kernel before I allowed the install of the ASL kernel.

And do I need to undo the steps taken to disallow TPE (mentioned above in this post) before I go through the steps which will set up the loading of my previous kernel?

The quickest solution seems to be "load standard kernel" and I wonder how complicated this is and can I manage this myself?

The process is pretty simple. You just need to change one line in /etc/grub.conf to tell Linux what kernel to use.

Also, I'm sorry that Parallels support does not seem to want to take the time to help you with this problem with their product. We do care about your business, and so far we have provided you with solutions that work, but they seem to be a bit too difficult for you manage yourself - so I'll do my best to try and help you. I really do wish all these things we simple, and we try to build that into ASL as much as we can.

Option 1: Configuring what kernel to boot into in Linux:

As previously mentioned, we've documented the standard Linux process for configuring which kernel to boot into here:

https://www.atomicorp.com/wiki/index.ph ... el_to_boot

This is not our procedure or our boot loader, this is standard on all Linux systems, and has nothing to do with ASL. You would have to follow the same procedure without or without our product, so theres nothing we can do to make this easier - this is just the way it is in Linux. And although this is an OS support question, and something you should ask your OS vendor about, I will do my best to try and help you to configure your system to boot into a kernel of your choice.

From the wiki article, how to set which kernel to boot into:

Step 1. Become root on your system

su -

Step 2. Edit the file /etc/grub.conf

Use your editor of choice:

nano /etc/grub.conf

or

gedit /etc/grub.conf

or

vi /etc/grub.conf

A typical grub.conf file will look similar to this:

# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/md1
# initrd /initrd-version.img
#boot=/dev/md0
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.27.7-9.art.i686)
root (hd0,0)
kernel /vmlinuz-2.6.27.7-9.art.i686 ro root=/dev/md1 rhgb quiet selinux=0 panic=5 ramdisk_size=128000
initrd /initrd-2.6.27.7-9.art.i686.img
title CentOS (2.6.26.6-1.art.i686)
root (hd0,0)
kernel /vmlinuz-2.6.26.6-1.art.i686 ro root=/dev/md1 rhgb quiet selinux=0 panic=5 ramdisk_size=128000
initrd /initrd-2.6.26.6-1.art.i686.img
title CentOS (2.6.25.4-4.i686)
root (hd0,0)
kernel /vmlinuz-2.6.25.4-4.686 ro root=/dev/md1 rhgb quiet selinux=0 panic=5 ramdisk_size=128000
initrd /initrd-2.6.25.4-4.i686.img

Non ASL kernels will not have the work "art" in them. From the example above that would be the kernel named:

title CentOS (2.6.25.4-4.i686)

We have no idea what kernels are and are not installed on your system, so you'll have to pick whatever kernel you want to boot into.

To do that just change this line in /etc/grub.conf:

default=0

To the number of the kernel you want to boot into. Keep in mind Linux's boot manager sets the first kernel as "0", the second as "1" and so on. So in the example above if you wanted to boot into this kernel:

title CentOS (2.6.25.4-4.i686)

You would set the line to:

default=2

Now save the file /etc/grub.conf

Step 3:

Reboot.

And do I need to undo the steps taken to disallow TPE (mentioned above in this post) before I go through the steps which will set up the loading of my previous kernel?

No, you don't have to do anything. If you set your system to boot into a non-ASL kernel then TPE doesnt matter anymore.

Option 2: How to set Dr. Web to run insecurely:

If you want to use the ASL kernel with Dr. Web, the process of configuring their software to be allowed to run with mprotect is also pretty simple. You just need to configure the system to allow Dr. Web to use mprotect:

chpax -spm /opt/drweb/drwebdeb/drweb
chpax -spm /opt/drweb/drwebd

We don't use Dr. Web, but a quick google seems to indicate these are its binaries. I'd love to download a demo of their product to find out what the binaries are, but I'm not having any luck finding a demo (if someone wants to provide access to a box with it, I'd like to take a look). If by some chance the drweb binaries are somewhere else you'd have to change the paths above.

Option 3: I'll do this for you

Just provide me with access to your box (mike AT atomicorp DOT com) and I'll set your system to boot into a non-ASL kernel. I'll even get Dr. Web working with the ASL kernel, I'd honestly like to know what the binaries are so someone that does want to use a secure kernel won't have to trade that for email virus scanning from Dr. Web. Then you'll need to reboot it when you are ready. This is not official support from Atomicorp, so please don't contact the support team, this is a favor from me to you.

https://www.atomicorp.com/wiki/index.ph ... _system.3F

BTW, ASL already includes antivirus, you don't need Dr. Web. DR. Web only scans email, ASL's antivirus scans email, FTP and web uploads to your server and provides real time antivirus of the file system. So if you are concerned about antivirus, you already have it. I'm not saying you may not have your reasons for using Dr. Web or that your shouldnt, just that ASL includes this already so you can probably save yourself some money.

And finally, we would be more than happy to give you a full refund and disable your ASL license. Please let us know if you would like us to do that for you.

Sorry, this is totally off topic, but Mike, you have really outdone yourself this time. Your must the the most caring and dedicated support personal/founder/extraordinary guru there is. Sometimes I feel like cancelling one of my ASL subscriptions, I have one to many, but then I read something like this and realize that my extra subscription is an extremely low price to pay for having this kind of service. Even if I don't need it myself right now, I kinda feels like my extra subscription give someone else that little extra mile. Mike, you rock! I'm proud to have you as a LinkedIn connection!

(Sorry Scott, this was a Mike celebration. You are of course also up there at the top of my all time high, computer gurus, but right now, let's give Mike the spotlight! )

Thank you Biggles

I agree with biggles.
What an exceptionally helpful post.
I am sorry that my knowledge is so inexperienced.
Let me get myself up off the floor and re-read the post...

Being somewhat embarassed about my lack of experience, a part of me wants to say, "just load into the previous kernel" because I wonder if I may be less hassle to you in the future if this was the case.

Being somewhat of a techhead, I would like the ASL kernel to operate with Dr. Web.

Why Dr. Web? It's all to do with a little green icon. My clients can see and enable options for antivirus via their Plesk Domain Administrator account. I looked into clamav in a post on this forum and, at the time, I think that I decided that I did not have enough experience to setup, configure and manage this option. At some time in the future, I will look into this again.

Regading Parallels Support, I feel quite sure, after all this time, that the only thing that they will accept is "load usual stock kernel instead of art's kernel." I fear that they will not continue support for my current ticket unless that option is followed.

I understand that the Dr. Web (now called Plesk Premium Antivirus) program operates in an non-secure way. In particular, the Parallels-associated licence key update function. Why the main Parallels license does not experience the same problem - is beyond my understanding.

You have provided so many generous options in your post that I am quite humbled. Maybe I am just too exhausted now, by this problem - that is definately a possibility. I am exhausted and lacking sleep.

Option 1:
I have taken a look at: /etc/grub.conf and I believe that I could configure it on my system according to your instructions.

Option 2:
Is not something that I would attempt after all this time. The mprotect issue has only been identifed since Parallels attempted to re-install Dr. Web. This has been a large part of the reason as to why I have had so much difficulty doing anything about this problem myself. There are no identifiable errors, except for the TPE one. I have no idea if this mprotect issue also relates to the license update problem and I have no idea, after disabling TPE and changing mprotect settings, if a further issue will be discovered. The problem has gone on for too long. I need to choose Options 1 or 3.

I believe in the ASL program, so, "I would like the ASL kernel to operate with Dr. Web." I would not consider removing my 2 installations of ASL, however you may prefer that I do this it may make your life easier. I am truly sorry for the hassle that this issue is.

Option 3:
Your offer, "I'll even get Dr. Web working with the ASL kernel" - is my primary preference.

I have sent an email.

Option 3 all done. Dr. Web is now working with ASL kernel:

[root@loft2234 ~]# uname -a
Linux loft2234.serverloft.com 2.6.32.21-3.art.x86_64 #1 SMP Tue Sep 7 16:57:34 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
[root@loft2234 ~]# rpm -Uvh --force /root/parallels/PSA_9.2.3/dist-rpm-CentOS-5-x86_64/opt/drweb/drweb-daemon-5.0.1-0plesk.i386.rpm
Preparing... ########################################### [100%]
Shutting down Dr. Web daemon...
1:drweb-daemon ########################################### [100%]
Starting Dr. Web daemon...
Dr.Web (R) daemon for Linux/Plesk Edition v5.0.0 (Jun 4 2009)
Copyright (c) Igor Daniloff, 1992-2009
Doctor Web, Moscow, Russia
Support service: http://support.drweb.com
To purchase: http://buy.drweb.com
Shell version: 5.0.0.10060 <API:2.2>
Engine version: 5.0.2.3300 <API:2.2>
Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 1008
Loading /var/drweb/bases/drwdaily.vdb - Ok, virus records: 7493
Loading /var/drweb/bases/drw50048.vdb - Ok, virus records: 8231
Loading /var/drweb/bases/drw50047.vdb - Ok, virus records: 10397
Loading /var/drweb/bases/drw50046.vdb - Ok, virus records: 11234
Loading /var/drweb/bases/drw50045.vdb - Ok, virus records: 10356
Loading /var/drweb/bases/drw50044.vdb - Ok, virus records: 11383
Loading /var/drweb/bases/drw50043.vdb - Ok, virus records: 8957
Loading /var/drweb/bases/drw50042.vdb - Ok, virus records: 11015
Loading /var/drweb/bases/drw50041.vdb - Ok, virus records: 11168
Loading /var/drweb/bases/drw50040.vdb - Ok, virus records: 7798
Loading /var/drweb/bases/drw50039.vdb - Ok, virus records: 7873
Loading /var/drweb/bases/drw50038.vdb - Ok, virus records: 6904
Loading /var/drweb/bases/drw50037.vdb - Ok, virus records: 6503
Loading /var/drweb/bases/drw50036.vdb - Ok, virus records: 9823
Loading /var/drweb/bases/drw50035.vdb - Ok, virus records: 7572
Loading /var/drweb/bases/drw50034.vdb - Ok, virus records: 6996
Loading /var/drweb/bases/drw50033.vdb - Ok, virus records: 16360
Loading /var/drweb/bases/drw50032.vdb - Ok, virus records: 29168
Loading /var/drweb/bases/drw50031.vdb - Ok, virus records: 34202
Loading /var/drweb/bases/drw50030.vdb - Ok, virus records: 28292
Loading /var/drweb/bases/drw50029.vdb - Ok, virus records: 27164
Loading /var/drweb/bases/drw50028.vdb - Ok, virus records: 25131
Loading /var/drweb/bases/drw50027.vdb - Ok, virus records: 31464
Loading /var/drweb/bases/drw50026.vdb - Ok, virus records: 18281
Loading /var/drweb/bases/drw50025.vdb - Ok, virus records: 18009
Loading /var/drweb/bases/drw50024.vdb - Ok, virus records: 24685
Loading /var/drweb/bases/drw50023.vdb - Ok, virus records: 13651
Loading /var/drweb/bases/drw50022.vdb - Ok, virus records: 16025
Loading /var/drweb/bases/drw50021.vdb - Ok, virus records: 15644
Loading /var/drweb/bases/drw50020.vdb - Ok, virus records: 23265
Loading /var/drweb/bases/drw50019.vdb - Ok, virus records: 23135
Loading /var/drweb/bases/drw50018.vdb - Ok, virus records: 20510
Loading /var/drweb/bases/drw50017.vdb - Ok, virus records: 25475
Loading /var/drweb/bases/drw50016.vdb - Ok, virus records: 16298
Loading /var/drweb/bases/drw50015.vdb - Ok, virus records: 19357
Loading /var/drweb/bases/drw50014.vdb - Ok, virus records: 18381
Loading /var/drweb/bases/drw50013.vdb - Ok, virus records: 19562
Loading /var/drweb/bases/drw50012.vdb - Ok, virus records: 27102
Loading /var/drweb/bases/drw50011.vdb - Ok, virus records: 21223
Loading /var/drweb/bases/drw50010.vdb - Ok, virus records: 24847
Loading /var/drweb/bases/drw50009.vdb - Ok, virus records: 23251
Loading /var/drweb/bases/drw50008.vdb - Ok, virus records: 14982
Loading /var/drweb/bases/drw50007.vdb - Ok, virus records: 16817
Loading /var/drweb/bases/drw50006.vdb - Ok, virus records: 18725
Loading /var/drweb/bases/drw50005.vdb - Ok, virus records: 18429
Loading /var/drweb/bases/drw50004.vdb - Ok, virus records: 6225
Loading /var/drweb/bases/drw50003.vdb - Ok, virus records: 142240
Loading /var/drweb/bases/drw50002.vdb - Ok, virus records: 66726
Loading /var/drweb/bases/drw50001.vdb - Ok, virus records: 24512
Loading /var/drweb/bases/drw50000.vdb - Ok, virus records: 82762
Loading /var/drweb/bases/drwebase.vdb - Ok, virus records: 508543
Loading /var/drweb/bases/dwrtoday.vdb - Ok, virus records: 1498
Loading /var/drweb/bases/dwr50008.vdb - Ok, virus records: 1959
Loading /var/drweb/bases/dwr50007.vdb - Ok, virus records: 2033
Loading /var/drweb/bases/dwr50006.vdb - Ok, virus records: 1812
Loading /var/drweb/bases/dwr50005.vdb - Ok, virus records: 1738
Loading /var/drweb/bases/dwr50004.vdb - Ok, virus records: 1885
Loading /var/drweb/bases/dwr50003.vdb - Ok, virus records: 2091
Loading /var/drweb/bases/dwr50002.vdb - Ok, virus records: 1569
Loading /var/drweb/bases/dwr50001.vdb - Ok, virus records: 1834
Loading /var/drweb/bases/dwntoday.vdb - Ok, virus records: 391
Loading /var/drweb/bases/dwn50020.vdb - Ok, virus records: 1833
Loading /var/drweb/bases/dwn50019.vdb - Ok, virus records: 1614
Loading /var/drweb/bases/dwn50018.vdb - Ok, virus records: 2297
Loading /var/drweb/bases/dwn50017.vdb - Ok, virus records: 2110
Loading /var/drweb/bases/dwn50016.vdb - Ok, virus records: 2007
Loading /var/drweb/bases/dwn50015.vdb - Ok, virus records: 2370
Loading /var/drweb/bases/dwn50014.vdb - Ok, virus records: 2241
Loading /var/drweb/bases/dwn50013.vdb - Ok, virus records: 2596
Loading /var/drweb/bases/dwn50012.vdb - Ok, virus records: 2024
Loading /var/drweb/bases/dwn50011.vdb - Ok, virus records: 1609
Loading /var/drweb/bases/dwn50010.vdb - Ok, virus records: 1471
Loading /var/drweb/bases/dwn50009.vdb - Ok, virus records: 1445
Loading /var/drweb/bases/dwn50008.vdb - Ok, virus records: 1895
Loading /var/drweb/bases/dwn50007.vdb - Ok, virus records: 2312
Loading /var/drweb/bases/dwn50006.vdb - Ok, virus records: 3006
Loading /var/drweb/bases/dwn50005.vdb - Ok, virus records: 2146
Loading /var/drweb/bases/dwn50004.vdb - Ok, virus records: 1714
Loading /var/drweb/bases/dwn50003.vdb - Ok, virus records: 2095
Loading /var/drweb/bases/dwn50002.vdb - Ok, virus records: 2715
Loading /var/drweb/bases/dwn50001.vdb - Ok, virus records: 2545
Loading /var/drweb/bases/dwn50000.vdb - Ok, virus records: 2801
Loading /var/drweb/bases/drwrisky.vdb - Ok, virus records: 6197
Loading /var/drweb/bases/drwnasty.vdb - Ok, virus records: 28348
Total virus records: 1701355
Key file: /opt/drweb/drweb32.key - loaded.
License key number: 0012840173
License key activates: 2010-10-19
License key expires: 2010-11-19
License for Internet gateways: None
License for file-servers: Unlimited
License for mail-servers: Unlimited
Daemon is installed, active interfaces: /var/drweb/run/.daemon 127.0.0.1:3000

For future reference, if anyone has to deal with this product in the future you just need to allow drweb to smash your stack with mprotect:

chpax -m /opt/drweb/drwebd.real

/opt/drweb/drwebd.real is the path to the actual binary, which for some reason has changed.

During RPM install if you are running a secure kernel, like ASL, you may have to hammer this home with a loop running during their install process - as they dont give you a chance to set anything, they just blindly push on through (sigh). I dont have the source rpm for drweb, otherwise you could just add this before they run the daemon.

while true; do chpax -m /opt/drweb/drwebd.real; done

This basically starts a loop to set the bit, so that its set before the installer rpm tries to run their application during the rpm install (rpm should not do that...). It would be much nicer if Parallels cared about making their product work themselves, but hey, ASL already provides antivirus so don't waste your money on their product - especially if they aren't going to bother to make it work with anything.

We'll see if we can add in an icon to the Plesk GUI.

Now I'm off to enjoy my day off.

Yahoo!
I feel like I just watched the Chicago Bears wipe up the New England Patriots in the next Superbowl (fantasy of course) and I have to stand up and scream my lungs out!

I thank you very much for your time & effort, Mike.

Parallels had actually already managed to get Dr. Web working. And they also did this one other time during the history of this issue. The problem is that the auto-update of the license key (License key expires: 2010-11-19) will not function. (see original subject of post)

My way of testing that this will fail is via Plesk Panel.
License Management > Additional License Keys > Key name drweb-unix > Retreive Additional Key
Status of additional key update
Product "drweb-unix" not installed

A subsequent email is received:
Unable to update PLSK013581560001. An error occured while processing your key. You can try to update it later.

On my other box which does not have the ASL kernel installed because it is openvz; the above set of steps:
Updating Additional Key
Status of additional key update
License key PLSK.00677242.0062 is up-to-date

A subsequent email is received:
License key PLSK.00677242.0062 is up-to-date

We have only seen the mprotect issue when the product is re-installed.
I apologise if I did not mention that Dr. Web was actually working.
Nevertheless, I understand that one can only work off error messages.
Parallels attempted re-install whilst investigating the license update issue and that produced the mprotect issue.
Thank you very much for solving this problem.

Upon manual license update we saw the TPE error.
This error no longer exists.
Currently, I cannot see any errors in any system logs which will assist with this license update problem.
Unless someone can advise where I should look; I have done the best examination that I can.
The main Plesk key does not experience this update problem.

So, as far as I can see, I only have two options left:
1. See if Paralles Support will continue investigating my ticket now that the re-install issue is fixed.
2. Revert to stock kernel instead of art's kernel as indicated by Parallels Support.

The third option of uninstalling Dr. Web and configuring clamAV, I recall, created a system failure which could only be solved by re-installing Dr. Web so, unfortunately, I am too inexperienced to manage this option.

Thanks for the feedback. Unfortunately, I can confirm that your issue is NOT caused by the ASL kernel. I just rebooted your box into the default Centos kernel and the same error occurs:

[atomic@loft2234 ~]$ uname -a
Linux loft2234.serverloft.com 2.6.18-194.8.1.el5 #1 SMP Thu Jul 1 19:04:48 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux

Product "drweb-unix" not installed.

This is definitely a Parallels issue. I left your system running the insecure stock kernel just so Parallels wouldn't continue to dodge their responsibility to fix their product.

I have sent the details of your recent efforts to Parallels.
After 2 months of being told this by Parallels you can probably guess how annoyed I am.
Annoyed at them and pissed off that I have had to waste your valuable time.

Its all good, I only wish I could say that their advice fixed the problem.

I am receiving these errors.

kernel: execdata[16944]: segfault at 0000000000601264 rip 0000000000601264 rsp 00007fffc433ac28 error 15
kernel: execheap[16951]: segfault at 0000000013b90130 rip 0000000013b90130 rsp 00007fff546beb38 error 15
kernel: execstack[16958]: segfault at 00007fff436782e0 rip 00007fff436782e0 rsp 00007fff436782d8 error 15
kernel: shlibbss[17224]: segfault at 00002ad273dd77e0 rip 00002ad273dd77e0 rsp 00007fffb215c578 error 15
kernel: shlibdata[17231]: segfault at 00002ac70b80d7c0 rip 00002ac70b80d7c0 rsp 00007fff59f27e38 error 15
kernel: anonmap[19769]: segfault at 00002aaaaaaab000 rip 00002aaaaaaab000 rsp 00007fffbb13ded8 error 15

running asl -s -f to see if that helps.